Another infected device

Recently we released a product especially for netbooks, so we’re performing compatibility tests on newly released netbooks in an ongoing way. The other day we bought a brand new M&A Companion Touch to test. After initial checks, the testing group contacted me since they suspected a malware infection. Could this be yet another example of a factory-infected device?

A scan detected the following malware: Worm.Win32.AutoRun.aayn, Rootkit.Win32.Agent.hwq and Packed.Win32.Krap.g. For anyone interested, here are the MD5s:

Worm.Win32.Autorun.aayn: 0x4f90e62489e5a891a1d9520408164b8c
Rootkit.Win32.Agent.hwq: 0x7f289b08a41ef6c26b684dc4d95028ee
Packed.Win32.Krap.g: 0x1928c09bdb7d2c7d1180bf2105e1315a

After some analysis I was able to determine that these files had been present since February 2009, a long time before we got the netbook.

The AutoRun worm spreads to removable devices, exploiting weaknesses in how Microsoft implemented the functionality. I blogged about the problem over at zdnet. What probably happened is that somebody used an infected USB stick and hooked it up to the machine while installing some drivers for it.

The true purpose of this worm is to steal passwords for a number of online games, such as Lord of the Rings and Maple Story. It also uses a special downloader mechanism. The PE files are encoded and pre-pended by a fake RAR header to fool security solutions. We detect such ‘malformed’ files as Trojan.Win32.Ramag.

This case shows once again that even brand new products can leave the factory infected. Safeguarding against infected new devices is particularly difficult. Doing an offline scan with an up to date security solution normally is the most effective solution. As there will have been a time lapse between the device getting infected and you getting your hands on it, your security solution should have no problem detecting the malware.

Naturally, we’ve informed M&A of our findings – but since the device is out there, we are also warning users.

Another infected device

Your email address will not be published. Required fields are marked *



Focus on DroxiDat/SystemBC

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

APT trends report Q2 2023

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Subscribe to our weekly e-mails

The hottest research right in your inbox